The recently released Microsoft Security Intelligence Report highlights the vast improvements in security from Windows XP to Windows 7. Even so, no operating system is perfect. I asked security experts what they think about Windows 7 security and came up with a list of what Microsoft got right and where Microsoft is still missing the mark.
A Step in the Right Direction
Here are three things Microsoft got right with Windows 7 security:
1. ASLR and DEP. ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) both existed in Windows Vista, but have been improved for Windows 7. ASLR makes it more complicated for attackers to determine where core functions reside in memory, and DEP prevents buffer overflow attacks from working on files or in storage areas that are specifically intended to hold data.
2. BitLocker-to-Go. Microsoft added BitLocker drive encryption in Windows Vista. Originally it was only capable of encrypting the partition that Windows was actually installed on, but the functionality was expanded with Service Pack 1 to include additional partitions or volumes--but not portable storage.
Tyler Reguly, Lead Security Research Engineer with nCircle, notes that with Windows 7, Microsoft has included the ability to encrypt data on USB thumb drives. Reguly says that with the popularity of USB thumb drives--capable of holding gigabytes of data--"the expansion of BitLocker to include removable drives should be counted as a significant enhancement."
3. IE8. Tyler Reguly commented that "The release of IE8 makes it evident that Microsoft is starting to take browser security seriously."
Sophos' Wisniewski elaborated more, explaining that IE8 "includes a new protection called SmartScreen which is similar to the protection in Google Chrome and Mozilla Firefox. This anti-phishing/anti-malware URL filtering is built into the browser, which can block known bad sites and helps protect users."
More Work to Be Done
As far as Microsoft has come with security, it’s not perfect. No operating system ever will be. Still, it can't hurt to try so here is a look at some of the areas that Windows 7 is lacking and perhaps some ideas for Microsoft to work on for Windows 8.
1. Windows Firewall. One of the primary complaints about earlier versions was that it only restricted inbound traffic and did not provide any mechanism for blocking or filtering traffic outbound from the Windows PC. Microsoft has addressed that.
nCircle's Tyler Reguly says "As a personal choice, I won’t use third-party firewall software. I find them to be too resource-intensive and too much of a pain. So, I would love it if the Windows Firewall was more powerful."
2. Hidden File Extensions. Microsoft continues to hide known file extensions by default. Files named FinancialStatement.doc.exe will appear to the user as FinancialStatement.doc with an EXE icon. If these files are virus or trojan sent by email, that would be a big threat.
3. XP Mode Virtualization. Windows XP Mode virtualization can be a savior for situations where there are legacy hardware devices or software applications that won't work under Windows 7.
The operative concern here, though, is that it is a complete Windows XP environment that is not protected in any way by the Windows 7 security controls.
Wisniewski also notes that "By default Windows auto-maps drives from your XP virtual machine to your Windows 7 machine. This could be a major malware vector if not properly protected."
The ever-popular UAC (User Account Control) gets an honorable mention as a pro and a con. Although it has been both presented and perceived as a security control, UAC is more about enforcing sound software development practices. Security is sort of a fringe benefit.
Tyler Reguly likes the changes Microsoft has made for UAC with Windows 7. "The decreased interruptions will mean more people will leave UAC on, this is definitely a benefit. It ends up being more functionality, less security, but can still be seen as an improvement in security overall."
Chet Wisniewski counters by pointing out that UAC is not really a security function in the first place, but also comments that " Microsoft does need to continue to use UAC to encourage developers to follow proper privilege separation models, because this can help Microsoft make a more secure Windows, but it should not be positioned as a feature to the end-user."
Anyway, nothing can be 100% perfect and its becoming better and better is enough. Windows 7 has brought us no small amazement. But as long as there are conceited computer geeks, problems are sure to arise. Users should build up reliable defense against various threats; install right antivirus, spyware removal, trojan removal software, etc.
original on pc world
by Tony Bradley
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment